cancel
Showing results for 
Search instead for 
Did you mean: 

Detour path in GRC 10

Former Member
0 Kudos

Dear Expert ,

Any idea where we can maintain Detour configuration in GRC AC 10 .

In MSMP i can see route mapping but not sure if this is place where i need cinfigure detour as it doenot have option to set detour condition .

Thanks & Regards

Asheesh

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Asheesh ,

In 5th stage of workflow configuration , 'Maintain Paths' . You can activate routing and assign a routing rule to a stage .

To create new routing rule you can use BRF+ or Function modules and configure these rules in workflow configuration .

Hope this helps .

Best Regards,

Aman

Former Member
0 Kudos

Dear Amanjit

At maintain path in MSMP , at stage level I can see Routing enable option with Rule ids like SOD violation and no roleowner check ...... ect .

Do you mean the same option ?

I am wonderining if we still have option to set condition like " SOD violation found/not found " like GRC Ac 5.3 .

Also where i need to define stage that detour path need to take once detour condition is met .

Thanks a lot for your help .

Best Regards

Asheeh

Former Member
0 Kudos

Hi Asheesh,

As of now SAP is not supporting routing/detour paths created using BRF. For solving your purpose of detour path during SOD violation you can use standard function module rule "GRAC_MSMP_DETOUR_SODVIOL". This will solve your purpose.

1. Create the iniator workflow

2. Make risk analysis mandatory in any stage and in same stage click on "Routing enabled" >Show details> Rule Id: GRAC_MSMP_DETOUR_SODVIOL and Rule result set "SODVIOL_DETOUR_PATH".

3. Create a path and route for SODVIOL_DETOUR_PATH ruleset.

Please let me know if you have more queries.

Regards

Rajan Arora

Former Member
0 Kudos

Dear Experts,

I´m working on activating the detour to the manager Stage (001), however I have the following question:

When I start the STEP 7 (Maint Rount Mapping) is necessary to create a specific path for this detour( SOD Risks)? Or can I use the default ?.

Best Regards,

Former Member
0 Kudos

Hi Rajan,

I have configured workflow same as you mentioned,because my scenario is exactly same as asheesh scenario..

at the security stage (2nd stage of path) security admin need to run risk analysis,and if any violations occur then the request  should detour to internal control team for creating / recomending any mitigation control id..and after they approve the same request must come to security admin to manually provision the role..

But in my case ..security admin after running the risk analysis,when he get the sod violations the request is not detouring to another path..even though routing enabled at security stage...

Please let me know one thing..when SOD violations occur at security stage..the request will automatically routed to another specified path..or the security admin need to select and press any buttons like approve or reject etc., when i click approve at this security stage the request is closing and role is assigning automatically at the back end system even though it has SOD violations..

Please suggest...

Regards,

Ravi.

Former Member
0 Kudos

Hi Ravi

Detour path only take once request is approved or rejected .Make sure in stage setting detour is reflected in both "Modify" and "modify setting " .Some time done at one place will reflect setting .

Also u need to map SOD detour condition to path in step maintain routing .

Hope this help .

Thanks & Regards

Asheesh

Former Member
0 Kudos

Hi Asheesh,

Thanks for the reply..

What is the routing level ? is it stage level or Line item level ? which one should select while enabling routing ?

Please suggest..

Regards,

Ravi.

Former Member
0 Kudos

Hi Asheesh/Rajan

Do I need to run the risk analysis to make the default path to take the detour path & Once I correct and approve at the compliance stage in detour path  will it automatically come back to the role owner stage from where actually it got detoured? Or do I need to Approve/Reject at Role owner stage in order to activate the detour workflow.

Regards

Pradeep

Former Member
0 Kudos

Hi Asheesh Mishra

Please help me reply to my post as I need to resolve this issue ASAP.

Regards

Pradeep

Former Member
0 Kudos

Dear Anjan,

I also followed your instructions, many thanks for the clear explanation.

I did not use the standard detour rule, but created an (for now) identical, custom one: ZGRAC_MSMP_DETOUR_SODVIOL.

Unfortunately I get an error when generating the new MSMP version: "Rule with ID ZGRAC_MSMP_DETOUR_SODVIOL does not exist for rule type 1". And then the next error states "Rule ID ZGRAC_MSMP_DETOUR_SODVIOL (rule type F) is not compatible with process type".

Do you have an idea what is causing the error to be thrown? I have double checked that the new rule is defined for the process type SAP_GRAC_AR, that the rule kind is Routing Rule and that the rule type is Functional Module Based Rule.

Thanks in advance.

Kind regards,

EM

Answers (4)

Answers (4)

0 Kudos

There is a way to trigger detour path only if Risk Level is High or Critical.?

Regards.

Former Member
0 Kudos

no, standard routing does not give that. you need to create custom rule for capturing path, as per Risk level.Check

Regards

plaban

0 Kudos

Thanks Plaban.

It works.

Regards

Former Member
0 Kudos

IN ARQ approver performs risk violation check. If violation is found then workflow is routed (detour) to risk owner. Is there a way to activate detour for high risks only. Low and medium risks should not go to detour path.

Former Member
0 Kudos

Hi.

Guys, do you know how can i create a SoD detour for roles?

Thanks

Former Member
0 Kudos

Hi Magaly,

Currently we can't create detour from BRF+, but you can use the standard detour workflow for the same.

GRAC_MSMP_DETOUR_SODVIOL: You can add this as routing rule.

Regards

Rajan Arora

Former Member
0 Kudos

Hi Rajan,

I traied to use the GRAC_MSMP_DETOUR_SODVIOL rule in the role approval workflow but i can't use it. it is possible to do this?

In fact i can't even save new rules, what am i doing wrong?

Regards,

Former Member
0 Kudos

Hi Magaly

I think you are talking about workflow in ERM ,where while creating role you can trigger a workflow .

As per my knowledge you cannot have Detour there .

Detour path is only possible from CUP when predefined condition are met and request cannot proceed on predefined path .

Thanks & Regards

Asheesh

Former Member
0 Kudos

Hi Ashis

Thanks you. I tried every way to configure a SoD evaluation detour in erm, but its not possible.

Regards,

Former Member
0 Kudos

Thanks rajan and amanjit, its working with solution provided by you .

Thanks & Regards

Asheesh

Former Member
0 Kudos

HI Asheesh,

Can you confirm whether you fixed the issue. Routing works only if we reject the request ??

I have following scenario

1. No SoDs >> Take approval from Role Owner and create user/ assign the access using workflow

2. SoDs found >> Role Owner approval and then Security team approval  after this userid will be created and assign the access

I have configured as below

Maintain Paths

1.GRAC_DEFUALT_PATH . In this I have configured re routing using Functional module GRAC_MSMP_DETOUR_SODVIOL to route from Role Owner stage to Security stage

2. ZGRAC_NO_SOD_PATH  . .with stage as role owner only

Maintain Route Mapping

1. Map GRAC_DEFUALT_result to Default_path

2. Map GRAC_MSMP_DETOUR_SODVIOL  to Defualt Path again for any SOD violations

3. Used one more functional module GRAC_INITIATOR_SOD_VIOLATIONS to check SoDs and map No SOD result to ZGRAC_NO_SOD_PATH

Workflow is working perfectly for  Scenario# where SoD exist

But for Scenario#1 , it is still following same path with 2 stages . Ideally it should go to role owner and assign the access

I believe this is due to it is just following 1 path GRAC_DEFUALT_PATH even though there are no SODs